问题
I am developing an intranet application and would like to use the existing organisations Active Directory for user authentication and policy based role authorisation.
Can someone point me in the right direction? I am getting a bit confused (well actually a lot confused).
Thankyou
回答1:
Per Authentication and Autorization resources under http://docs.asp.net/en/latest/security/index.html
First start a new ASP.Net Web Application project, Pick the Web Application template then on the right pane press the "Change Authentication" button and pick "Windows Authentication".
You can now use [Authorize] on a class or method to check basic authentication vs active directory as of RC2 you can simply use the group names ala [Authorize(Roles=@"DOMAIN\GROUP")]
The now obsolete and cumbersome alternative (still works):
If you look at User.Claims you can see the groupsid keys exist for each of the user's groups. Building off that you can do something like [Authorize(Policy="FOOBAR")] and define it in your Startup.ConfigureServices method via
services.AddAuthorization(
o => o.AddPolicy(
"FOOBAR",
p => p.RequireClaim("http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
"ENTER GROUP SID")
));
Note that the second param to RequireClaim is a string array to allow for multiple groups.
Also note to figure out group ids via this command line magic dsquery group -name “ENTER GROUP NAME” | dsget group -sid
来源:https://stackoverflow.com/questions/34538724/how-to-use-active-directory-for-asp-net-5-mvc6-intranet-application